Munchables, an NFT game running on the Ethereum layer-2 blockchain Blast, has fallen victim to a substantial $62-million exploit. The breach was announced on March 26, with the Munchables team attempting to track the movements of the exploiter. Blockchain analyst ZachXBT identified the alleged attacker’s wallet address, which currently holds $62.45 million worth of Ether, indicating the scale of the breach.
The exploit involved interactions with the Munchables protocol, resulting in the extraction of 17,413 ETH from the game. The exploiter then utilized the Orbiter Bridge to convert Blast ETH back into native ETH and transferred additional funds to a separate wallet. Allegations suggest that the attack was planned in advance, with a developer upgrading the Lock contract shortly before the launch, enabling the attacker to manipulate storage slots and assign themselves a significant Ether balance.
At 4:40 am UTC on March 27, Munchables identified the hacker as one of its developers. After an hour of negotiations, the former developer agreed to return the hacked funds voluntarily. It took almost eight hours for the Munchables developer, previously involved in the hack, to have a change of heart and return $62.8 million worth of Ether stolen in the exploit, refraining from requesting a ransom.
